RSA Keon Certificate Authority OneStep talks to the secure KCA port (e.g. 636) using the SSL-LDAP protocol. A SSL secure tunnel is created between OneStep and the KCA. Once the transaction is completed, this tunnel is closed. Thus, there are also no issues where most firewalls drop inactive connections after a set period of time.

For KCA to respond, you must possess the right bindDN, bindPW, and SSL certificate. The SSL certificate identifies the sort the operations the requestor can perform as these are governed by the LDAP ACL rules. When you approve a KCA SSL certificate for OneStep or KRA, part of the process is setting the LDAP ACL to limit what that certificate can do.

As far as OneStep is concerned, the SSL certificate entitles the application to send certificate requests to KCA, and these requests can only be signed by whichever jurisdiction was configured for the OneStep SSL certificate.

The network traffic on a port can be sniffed but the data traffic is encrypted, and it is as secure as the session key and key size negotiated to encrypt the data.